Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the email_verified claim from upstream providers; the idp.UserInfo struct does not even include a EmailVerified field. An attacker can supply an unverified email claim from an upstream provider to take over accounts that use the same email address.
AnalysisAI
Account takeover in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to hijack accounts by supplying unverified email claims from upstream identity providers. The getExistUserByBindingRule function matches users solely by email address without validating the email_verified claim, enabling cross-IdP account compromise. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02% (5th percentile), but the CVSS 9.1 reflects the severe identity-layer impact.
Technical ContextAI
Casdoor (cpe:2.3:a:casdoor:casdoor) is an open-source Identity and Access Management (IAM), Single Sign-On (SSO), and OAuth/OIDC provider written in Go. The vulnerability resides in the federated identity binding logic: when a user authenticates via an upstream Identity Provider (IdP), the getExistUserByBindingRule function attempts to link the upstream identity to an existing local account using the email claim as the matching key. However, the idp.UserInfo struct in Casdoor's IdP abstraction layer does not define an EmailVerified field, meaning the email_verified boolean claim mandated by OpenID Connect Core 1.0 (Section 5.1) is structurally discarded before binding decisions are made. The root cause is an improper authentication / trust boundary failure (conceptually CWE-287 or CWE-345), where unverified attribute data from a federated source is treated as authoritative for identity resolution. While the input lists the tag as 'Information Disclosure', this mischaracterizes the actual impact, which is account hijacking (integrity/confidentiality compromise of the victim account).
RemediationAI
No vendor-released patch identified at time of analysis - neither the CERT/CC note nor the NVD entry references a fixed Casdoor version or upstream commit. Operators should monitor the Casdoor GitHub repository and the CERT/CC advisory (https://kb.cert.org/vuls/id/780781) for a release above 2.362.0 that adds an EmailVerified field to idp.UserInfo and gates getExistUserByBindingRule on it. As compensating controls, restrict the configured upstream IdPs to only those that cryptographically attest verified emails (e.g., Google, Microsoft Entra, Okta) and remove or disable any IdP connector - particularly generic OAuth or self-hosted OIDC providers - where users can self-assert arbitrary email addresses (side effect: users of those IdPs lose SSO access). Disable the automatic email-based account-binding feature if the deployment exposes it as a configurable rule, forcing manual linking of federated identities to local accounts instead (side effect: increased onboarding friction). Audit existing user records for accounts bound from multiple IdPs sharing the same email and force password resets or re-verification for any high-privilege accounts.
Casdoor v1.97.3 was discovered to contain an arbitrary file write vulnerability via the fullFilePath parameter at /api/u
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated high severity (CVSS 8.
Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-passwo
Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. Rated medium severity (CVSS
Path traversal in Casdoor's Local File System storage provider allows authenticated administrators to write arbitrary fi
Token revocation bypass in Casdoor identity management platform (versions 2.362.0 and earlier) allows remote unauthentic
Cross-organization token exchange in Casdoor versions 2.362.0 and earlier allows remote unauthenticated attackers to esc
SAML authentication bypass in Casdoor 2.362.0 and earlier allows remote unauthenticated attackers to authenticate as arb
Authentication bypass in Casdoor 2.362.0 and earlier permits remote attackers controlling a registered upstream Identity
Authentication bypass in Casdoor identity and access management platform (versions ≤2.362.0) allows remote unauthenticat
Authentication bypass in Casdoor (versions ≤2.362.0) allows remote attackers to replay captured SAML assertions to hijac
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32943
GHSA-qq8g-36vc-g254